Serverless Brain Dump: Use Lambda with RDS Aurora Serverless

2022/04/06: Lambda now supports built-in HTTPS function urls. This sort of derailed the API Gateway portion, which I was planning for part 2 of this 3 part series.

2022/04/21: Aurora Serverless V2 is now generally available. One notable feature is that V2 clusters can be made available to the public, which was not possible with V1, so a greater portion of this article is not exactly relevant anymore.

A few thoughts:

Using a relational database with a serverless function has been frowned upon in my experience, specifically due to the concerns of multiple ephemeral functions spinning up and exhausting the database’s connection pool.

I’ve always wanted to use Postgres more on my deployed personal projects, but never enjoyed paying for a long running instance that received nearly no traffic (roughly $20/month for the smallest instance size), so I’ve always reached for DynamoDB instead.

Both of these prior thoughts drove me towards RDS Aurora Serverless, Amazon’s serverless relational database service. It can scale up with your traffic, and scale back down to zero when it is unused, costing you $0 if you have no traffic.

And again, not wasting money on something you’re not really using is always nice.

Prerequisite

Typically when you create long running RDS instances, you’re presented with an option to make the database available to the public internet.

However, with Aurora Serverless, you do not get this option. Your database — well, cluster of databases — can only be accessed from within a VPC. This means that any sources of compute, like a Lambda function in this case, also need to exist inside that VPC.

VPC

Specifying a VPC for a Lambda function can be accomplished through the AWS dashboard, or some programmatic way such as the AWS SDK, or an infrastructure-as-code tool like Terraform, but this on its own come with a couple requirements.

`IAM` Permissions

In order to attach a VPC to a Lambda, the Lambda's execution role needs permissions to call CreateNetworkInterface on EC2. This can be handled by attaching the managed IAM policy, AWSLambdaVPCAccessExecutionRole, to the role.

AWSLambdaVPCAccessExecutionRole

Policy ARN:

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

Description:

Provides minimum permissions for a Lambda function to execute while accessing a resource within a VPC - create, describe, delete network interfaces and write permissions to CloudWatch Logs.

Permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface",
        "ec2:AssignPrivateIpAddresses",
        "ec2:UnassignPrivateIpAddresses"
      ],
      "Resource": "*"
    }
  ]
}

See this user guide.

Without this permission you’ll get the following error whether you’re attempting to attach a VPC via the console or SDK ¹:

InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2.

Specify Security Group IDs and Subnet IDs

With proper EC2 permissions, updating the function's configuration ¹ will now succeed both from the console and SDK.

In order to actually specify a VPC for a Lambda function, you need to select security group IDs and subnet IDs.

Below is a script that I wrote in go to automate all the would-be manual clicking of this process.

Helper Script

The inputs...

Parameter	Description
`lambdaArn`	The ARN of the Lambda function to update. Security Group IDs and Subnet IDs can be derived from this.
`vpcId`	The ID of the VPC to attach to the Lambda
`roleName`	The name of the Lambda’s execution role

💭 Looking back, maybe roleName can be derived from lambdaArn.

The code...

package main

import (
	"context"
	"errors"
	"log"
	"time"

	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	ec2 "github.com/aws/aws-sdk-go-v2/service/ec2"
	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
	iam "github.com/aws/aws-sdk-go-v2/service/iam"
	lambda "github.com/aws/aws-sdk-go-v2/service/lambda"
	lambdaTypes "github.com/aws/aws-sdk-go-v2/service/lambda/types"
)

// This series of operations is necessary for a Lambda to connect to Aurora Serverless
func AttachLambdaToVpc(lambdaArn, vpcId, roleName string) error {
	cfg, _ := config.LoadDefaultConfig(context.TODO(), config.WithRegion("us-east-1"))

	ec2service := ec2.NewFromConfig(cfg)

	// get subnets for the VPC
	log.Println("Getting subnets for VPC", vpcId)
	subnets, _ := ec2service.DescribeSubnets(context.TODO(), &ec2.DescribeSubnetsInput{
		Filters: []ec2types.Filter{
			ec2types.Filter{
				Name:   aws.String("vpc-id"),
				Values: []string{vpcId},
			},
		},
	})

	var subnetIds []string
	for _, subnet := range subnets.Subnets {
		subnetIds = append(subnetIds, *subnet.SubnetId)
	}
	log.Println("Subnets:", subnetIds)

	// get a single security group for the VPC
	log.Println("Getting security group for VPC", vpcId)
	sg, _ := ec2service.DescribeSecurityGroups(context.TODO(), &ec2.DescribeSecurityGroupsInput{
		Filters: []ec2types.Filter{
			ec2types.Filter{
				Name:   aws.String("vpc-id"),
				Values: []string{vpcId},
			},
		},
	})

	securityGroupId := *sg.SecurityGroups[0].GroupId
	log.Println("Security Group:", securityGroupId)

	// update FunctionConfiguration
	log.Println("Updating FunctionConfiguration for", lambdaArn)

	for i := 1; i < 5; i++ {
		shouldRetry := tryUpdateLambdaConfig(lambdaArn, vpcId, roleName, securityGroupId, subnetIds)
		if shouldRetry {
			log.Println("Waiting 5 seconds before retrying...")
			time.Sleep(5 * time.Second)
		} else {
			break
		}
	}
	return nil
}

func tryUpdateLambdaConfig(lambdaArn string, vpcId string, roleName string, securityGroupId string, subnetIds []string) bool {
	cfg, _ := config.LoadDefaultConfig(context.TODO(), config.WithRegion("us-east-1"))
	lambdaService := lambda.NewFromConfig(cfg)
	iamService := iam.NewFromConfig(cfg)

	var shouldRetry bool

	if updateOutput, err := lambdaService.UpdateFunctionConfiguration(context.TODO(), &lambda.UpdateFunctionConfigurationInput{
		FunctionName: aws.String(lambdaArn),
		VpcConfig: &lambdaTypes.VpcConfig{
			SecurityGroupIds: []string{securityGroupId},
			SubnetIds:        subnetIds,
		},
	}); err != nil {
		var ipe *lambdaTypes.InvalidParameterValueException
		if errors.As(err, &ipe) {
			// handle the following error:
			// InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2
			log.Println("UpdateFunctionConfiguration error:", ipe)
			log.Println("  Attaching policy:", "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole")
			log.Println("  ...to role:", roleName)

			if _, err := iamService.AttachRolePolicy(context.TODO(), &iam.AttachRolePolicyInput{
				PolicyArn: aws.String("arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"),
				// ⚠️ This must be role name string; You cannot use ARN for some reason...
				RoleName: aws.String(roleName),
			}); err != nil {
				log.Println("error:", err)
				log.Fatalln("Failed to attach policy to role")
			} else {
				log.Println("Successfully attached IAM policy to role. Please run this again.")
			}

			// signal to the consumer that we should retry
			shouldRetry = true
			return shouldRetry
		} else {
			log.Fatalln("UpdateFunctionConfiguration unexpected error:", err)
		}

	} else {
		log.Println("Successfully updated FunctionConfiguration:")
		log.Println(*updateOutput.FunctionName)
		log.Println(*updateOutput.FunctionArn)
	}

	return shouldRetry
}

package main

// example usage
func main() {
  AttachLambdaToVpc(
		"arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:wp-nodejs-express", // lambdaArn
		"vpc-XXXXXXXX",             // vpcId
		"lambda-wp-nodejs-express", // roleName
	)
}

The logic flow is roughly:

Get subnets for a given VPC ID
Get a single security group for a given VPC ID
Attempt to update the Lambda’s configuration with these Values
Check for failure; Attempt to attach the IAM policy to the Lambda’s execution role
Retry step 3

After this configuration update is applied, the Lambda function will be able to connect to the Aurora Serverless cluster through your typical language-specific clients, like node-postgres.

What about connection pooling?

I ran an end-to-end test with an open source HTTP load gnerator (go based), on my FQDN → API Gateway → Lambda → Aurora integration ². What I observed was that up to 1,000 concurrent lambda functions ³, the Aurora Serverless cluster appeared to autoscale up fine.

But this crude testing was done on a single Apple M1 Max computer, so take it with a grain of salt.

More brain dumpage coming soon...

Got any feedback?

Feel free to leave any comments, questions, suggestions below in the new comments section, powered by utterances 🔮

Updating a Lambda’s configuration executes lambda::UpdateFunctionConfiguration under the hood. ↩ ↩²
I’ll write about the full FQDN → API Gateway → Lambda → Aurora integration in the next two posts. ↩
1,000 is the default concurrency limit set by AWS. ↩